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Abstract. The discrete logarithm problem in Jacobians of curves of 
high genus g over finite fields ¥ q is known to be computable with subex- 
ponential complexity L q g (1/2, O(l)). We present an algorithm for a fam- 
ily of plane curves whose degrees in X and Y are low with respect to the 
curve genus, and suitably unbalanced. The finite base fields are arbitrary, 
but their sizes should not grow too fast compared to the genus. For this 
family, the group structure can be computed in subexponential time of 
L q g (1/3, 0(1)), and a discrete logarithm computation takes subexponen- 
tial time of L 9 s(l/3 + e,o(l)) for any positive e. These runtime bounds 
rely on heuristics similar to the ones used in the number field sieve or 
the function field sieve algorithms. 



1 Introduction 

The discrete logarithm problem in algebraic curves over finite fields has been 
receiving particular attention since elliptic curves and subsequently Jacobian 
groups of further algebraic curves have been proposed for discrete logarithm 
based public key cryptosystems. Although it is now clear that high genus curves 
are unsuitable for cryptographical use, it remains crucial to study algorithms for 
solving the discrete logarithm problem in those curves for several reasons. The 
first reason is that having a better understanding of the situation for high genus 
curves might lead to algorithmic improvements also in the small genus case. The 
second reason is that the Weil descent strategy of attacking the discrete loga- 
rithm problem in elliptic curves defined over extension fields leads to a discrete 
logarithm problem in the Jacobian of a high genus curve. Therefore a better al- 
gorithm for high genus discrete logarithms becomes naturally a potential threat 
for some elliptic curves. 

It turned out very early that the discrete logarithm problem in high genus 
hyperelliptic curves (for instance in the sense that the size q of the base field 
is fixed, while the genus g tends to infinity) can be solved by a subexponential 
algorithm of complexity L qg (1/2, O(l)). The first such algorithm was proposed 
in [1]. As other subexponential algorithms, it consists of fixing a factor base 
of small prime elements (here, prime divisors) and of creating relations that 
correspond to the zero element modulo an equivalence relation (here, equivalence 
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of divisors modulo principal divisors). After collecting sufficiently many relations 
and somehow introducing the base of the discrete logarithm and the clement 
whose logarithm is sought, linear algebra yields the desired result. Assuming 
that smooth elements, that are elements decomposing over the factor base, have 
the same density as for instance smooth integers or polynomials, such algorithms 
usually end up with a complexity of £ 9 g(l/2, 0(1)). 

The algorithm in [1] creates relations by randomly taking low degree func- 
tions (that are linear in Y for the curve Y 2 = f(X)), whose divisors are relations. 
Its analysis is only heuristic. The first proven algorithms are given in [15] for 
the infrastructure of real-quadratic hyperelliptic function fields and in [5] for 
Jacobians of hyperelliptic curves. Relations are obtained in a process similar to 
that of [11] by taking random linear combinations of factor base elements, re- 
ducing modulo the equivalence relation and checking for smoothness. A rigorous 
analysis is derived from the lower bound on the density of smooth divisors in 
[7] . A generic description of a similar algorithm can be found in [6] ; it applies to 
all class groups in which a smoothness result is known. Heuristically, it obtains 
a running time of L q9 (1/2, O(l)) for the discrete logarithm problem in arbitrary 
high genus curves, the smoothness result needed for a proof of the complexity is 
however only available for hyperelliptic curves. 

A proven algorithm of complexity L q9 (1/2 + e, 0(1)) for very general curves 
over a fixed field ¥ q and with genus g tending to infinity (with the only restriction 
that the curves contain a rational point and that the cardinality of the Jacobian 
group is bounded by qS+o^Vs)^ [ s given in [3]. Unlike previous algorithms, it 
appears to be specific to algebraic curves and relies on a double randomisation, 
taking random combinations of factor base elements and a random function 
in a Riemann-Roch space. A relation is obtained whenever the divisor of this 
function is smooth. A more general algorithm is proposed in [13] that yields a 
proven L (?3 (l/2, O(l)) complexity without any restriction on the input curve. 

Another line of research on the discrete logarithm problem for algebraic 
curves, started in [8] and not pursued in this article, consists of fixing g and 
having q tend to infinity. This leads to algorithms that are exponential, but 
faster than generic algorithms of square root complexity as soon as g > 3, see 
[9, 4]. 

In the light of algorithms of complexity £(1/3) for the discrete logarithm 
problem in finite fields as well as for factoring integers, it has been an open 
problem to determine whether this complexity can be achieved also for algebraic 
curves. In this article, we present the first probabilistic algorithm of heuris- 
tic complexity £ gS (l/3, 0(1)) to compute the group structure of certain curves 
whose total degree is relatively small compared to their genus. When introducing 
the two elements of the Jacobian for which the discrete logarithm problem is to 
be solved, some sacrifice has to be made; we obtain an algorithm of complexity 
bounded by £ gS (l/3 + e, o(l)) for any positive constant e. 

The relation collection phase is the same as in [1] and consists of looking for 
smooth divisors of functions linear in Y. By applying it to the curves of our spe- 
cial family, one readily obtains a lower degree of the affine part of the intersection 
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divisor than in the general case, from which a complexity of L qg (1/3, O(l)) is 
derived. For smoothing the two divisors involved in the discrete logarithm prob- 
lem, a process is employed that is similar to the one used in the number field 
sieve or in the function field sieve. This is the general special-Q descent strategy 
(also related to the so-called lattice sieving). Each divisor is partially smoothed 
into prime divisors of degree less than the starting divisor. Then each such prime 
divisor Q is smoothed again into smaller prime divisors, and we iterate until ev- 
ery divisor is rewritten in terms of elements of the factor base. However, in our 
case it is necessary to add an arbitrarily small constant e to the 1/3 parameter 
to obtain a proper descent phenomenon; otherwise, the process would get stuck 
after one step. 

Let us mention that subsequently to our algorithm, Diem has presented at 
the 10th Workshop on Elliptic Curve Cryptography (ECC 2006) an algorithm 
based on similar ideas, but with a quite different point of view. He manages to 
obtain a complexity of L(l/3,0(1) for the discrete logarithm phase, for which 
our algorithm takes L(l/3 + e, o(l)). We will show how to reach a complexity of 
1/(1/3,0(1)) for discrete logarithms in our setting in the long, journal version. 

Acknowledgement. We thank Claus Diem for his careful reading of our article 
and many useful remarks. 



2 Main idea 

Before describing our algorithm with all its technical details on a general class 
of curves, we sketch in this section the main idea yielding a complexity of 
I/ g3 (l/3, O(l)) for the relation collection phase for a restricted class of curves. 
We provide a simplified analysis by hand waving; Section 3 is devoted to a more 
precise description of the heuristics used and of the smoothness properties needed 
for the analysis. 

Let ¥ q be a fixed finite field. We consider a family of C a b curves over ¥ q , that 
is, curves of the form 

C : Y n + X d + f(X, Y) 

without affinc singularities such that gcd(n, d) = 1 and any monomial X l Y : > 
occurring in / satisfies ni + dj < nd. Such a curve has genus g — ; 
we assume that g tends to infinity, and that n ss g 1 / 3, and d w g 2 / 3, (we use 
the symbol m, meaning "about the same size" with no precise definition). The 
non-singular model of a C a b curve has a unique point at infinity, and it is ¥ q - 
rational; so there is a natural bijection between degree zero divisors and affinc 
divisors, and in the following, we shall only be concerned with effective affinc 
divisors. Choose as factor base T the L qB (1/3, O(l)) prime divisors of smallest 
degree (that is, the prime divisors up to a degree of B s=a log 9 L q9 (1/3, 0(1))). 
To obtain relations, consider functions linear in Y of the form 



if = a(X) + b(X)Y 
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with a, b e F 9 [X], gcd(a, b) = 1 and dega, deg 6 = 5 ~ 5 1 / 3 . Whenever the affinc 
part div(iy9) of the divisor of ip is smooth with respect to the factor base, it yields 
a relation, and we have to estimate the probability of this event. 

Let N be the norm of the function field extension ¥ q (C) = ¥ q (X)[Y]/(Y n + 
X d + f(X, Y)) relative to ¥ q (X). The norm of p is computed as 

N(tp) = N(6) N (y + 

-,,((-:)• + * +/ (*-!)) 

= {-a) n + b n X d + f*(X), 

where each monomial X l Y^ occurring in / is transformed into a monomial 
X l {- a yb n -i in /*. 

Since ip is linear in Y , all prime divisors it contains are totally split over 
¥ q (X), and ip is B-smooth if and only if its norm is. We have 

deg x N(<p) < max(n deg a, n deg b + d) = nS + d w g 2/<3 . 

Hcuristically, we assume that the norm behaves like a random polynomial of 
degree about g 2 ^ 3 . Then it is B-smooth with probability l/L qg (l/3, 0(1)) (this 
is the same theorem as the one stating that a random polynomial of degree 
g is log g L qg (1/2, 0(l))-smooth with probability l/L q9 (l/2, 0(1)), cf., for in- 
stance, Theorem 2.1 of [2]). Equivalcntly, we may observe that deg(div(<p)) = 
deg x (N(iys)) and assume heuristically that div(ip) behaves like a random ef- 
fective divisor of the same degree. Then the standard results on arithmetic 
semigroups (cf. Section 3) yield again that div(ip) is smooth with probability 
1/V(1/3,0(1)). 

Thus, the expected time for obtaining \T\ — L q g(l/3, 0(1)) relations is 
L qg (1/3, O(l)), which is also the complexity of the linear algebra step for com- 
puting the Smith normal form and thus the group structure of the Jacobian. The 
complexity of the discrete logarithm problem is not considered here, an analysis 
for the full algorithm is given in Section 5. 

It remains to show that the search space is sufficiently large to yield the re- 
quired L q g (1/3, 0(1)) relations, or otherwise said, that the number of candidates 
for ip is at least L q9 (1/3, O(l)). The number of ip is about 

q 2S = ^g 1 ' 3 = exp (21o gg3 1 /3) 

< exp(2( 5 1 / 3 (log g ) 1 / 3 )(log( ff lo gg )) 2 / 3 ) = L 99 (l/3,0(1)). 

The previous inequality in the place of the desired equality shows that a 
more rigorous analysis requires a more careful handling of the logg factors; in 
particular, S has to be slightly increased. Moreover, the constant exponent in 
the subexponential function needs to be taken into account. This motivates the 
following section, in which we examine in more detail the smoothness heuristics 
and results that are needed for the algorithm. 
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3 Smoothness 

The algorithm presented in this article relies on finding relations as smooth 
divisors of random polynomial functions of low degree. We suppose that all 
curves are given by an absolutely irreducible plane affine model 

C : F(X,Y) 

with F £ Fq[X, Y], where W q is the exact constant field of the function field of C. 
The factor base T consists essentially of the places of degree bounded by some 
parameter /it, with a few technical modifications. Precisely, T is composed of the 
following places: 

— the places corresponding to the resolution of singularities, regardless of their 
degrees, whose number is bounded by ( rf ~ 1 K d ~ 2 ) w ith d = degF. By in- 
cluding them in T ', the algorithm can be described as if the curves were 
non-singular. 

— the infinite places corresponding to non-singularities, regardless of their de- 
grees, whose number is bounded by d by Bezout's theorem. By adding them, 
it becomes sufficient to only examine the affine part of any divisor. 

— places of degree bounded by some parameter \x and of inertia degree 1 with 
respect to the function field extension ¥ q (X)[Y]/(F) over ¥ q (X). Otherwise 
said, places corresponding to prime ideals of the form (u, Y — v) with u £ 
F 9 LY] irreducible of degree at most [i and v £ F g [X] of degree less than 
deg u; the inertia degree is in fact the degree of the second generator in Y. 
Due to the way relations are obtained in the algorithm, no places of higher 
inertia degree may occur. 

A divisor is called ^-smooth if it can be decomposed over the factor base; 
thus only its affine part plays a role, and for polynomial functions, this is an 
effective (i.e. non-negative) divisor. An effective divisor is called ^-smooth if it is 
composed only of places of degree up to /i. To be able to analyse the smoothness 
probability, we need the following reasonable assumption. 

Heuristic 1. Let D be the divisor of a uniformly randomly chosen polynomial 
of the form b(X)Y — a(X) and v the degree of its affine part. Then the probability 
of D to be T -smooth is the same as that of a random effective divisor of degree 
v to be [i-smooth. 

Heuristic 1 covers the relation collection phase. For computing discrete log- 
arithms, arbitrary non-principal divisors need to be smoothed, and another as- 
sumption is needed. 

Heuristic 2. The probability of a uniformly randomly chosen effective divisor 
of degree v to be T -smooth is essentially the same as that of being ^-smooth. 

Heuristic 2 claims in fact that places of inertia degree larger than 1 do not 
play a role for smoothness considerations. In the analogous case of number fields 
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this is justified by the observation that these places have a Dirichlet density of 0, 
and the situation is completely analogous for function fields: A place of degree 
\i and inertia degree / dividing /j, corresponds to a closed point on C with X- 
coordinatc in ¥ ql ,/ f and incoordinate in ¥ q n , of which there are on the order of 
q^lf . Clearly, places with / > 2 are completely negligible. 

The probability of ^(-smoothness is ruled by the usual results on smoothness 
probabilities in arithmetic semigroups such as the integers or polynomials over 
a finite field, cf. [14]. 

Unfortunately most results in the literature assume a fixed semigroup and 
give asymptotics for /i and v tending to infinity, whereas we need information 
that is uniform over an infinite family of curves. Theorem 13 of [13] provides 
such a result: 

Theorem 3 (Hefi). Let < e < 1, 7 = and v, \i and u = — such that 
3 log 9 (14g + 4) < fi < v e and u > 2 log(<? + 1). Denote by ip(v, fi) the number of 
fi-smooth effective divisors of degree v. Then for fj, and v sufficiently large (with 
an explicit bound depending only on e, but not on q or g), 

t^l tl > e -«logn(l+ 1 °«, 1 g^ ) = e -„logu(l+o(l)) 

q" ~ 

Notice that the proof of Theorem 3, similar in spirit to that for hypcrcllip- 
tic curves in [7], is entirely combinatorial and relies on the fact that there are 
essentially q^ j \i places of degree [i. So we expect the result to hold even if one 
restricts to places of inertia degree 1. 

Denote by 

L(a,c) = L qg (a,c) = e^siog^^iog^iog,)) 1 - 

for < a < 1 and c > the subexponential function with respect to glogq, and 
let 

M = M q9 =lo gqi9 lo gq ) = l ^f^. 

q \ogq 

The parameter glogq will be the input size for the class of curves we consider; 
more intrinsically, this is the logarithmic size of the group in which the discrete 
logarithm problem is defined. 

Proposition 4. Let v = [log g L(a, c)J = [cg a M 1 ~ a \ and fi = [log L([3, d)] = 
\dgP '.M 1- ' 3 ] with < (3 < a < 1 and c, d > 0. Assume that there is a constant 
S > such that g > (\ogq) s . Then for g sufficiently large, 

^>L(a-f3,-^a-f3) + o { l)), 

where o(l) is a function that is bounded in absolute value by a constant (depend- 
ing on a, [3, c, d and 8) times lo e lo s(^ lo g g) _ 
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/ l \ at-0 

v < c f g log q ■ 



Proof. One computes 



(the inequality being due only to the rounding of v and /j,), 
logu = (a-/3)log(fflogg)(l + o(l)) 

and 

log log u 

— j = o(l), 

lOgU 

with both o(l) terms being of the form stipulated in the proposition. Applying 
Theorem 3 yields the desired result. Its prerequisites are satisfied since 

t: — logM t~' /3 log fir — (1-/3) log log q 

lim^oo-; = linig^oo— 

logf a log g — (1 — a) log log q 

< hm, 



"logff 3- logg 



=:e < 1 



because of the definition of 5. Notice further that g — > 00 is equivalent to 
glogg — > 00, and that also fj, and z/ tend to infinity when g does. □ 

The choice of /i shall insure that the factor base size, that is about g M , becomes 
subexponential. But the necessary rounding of fi, which may increase q^ by a 
factor of almost q, may result in more than subcxponentially many elements in 
the factor base when q grows too fast compared to g. 

Proposition 5. Let < (i < 1 and S > ±=£ . If g > (logq) s , then q = L(/3,o(l)) 
for g — > 00. In particular, 5 > max (j^qj, "^r) * n P ro P os tti° n 4 implies that 
g" = L(/3,d + o(l)). 

Proof To verify the first assertion, one computes 

g = e l°g<? = e (logg) 1 -' 9 (log g )' 9 
< e 9 {1 - fi)/5 (log g)"(log( fl log 
= e (9log<3)' 9 (log(9log9) 1 -' ::! )ff i ^~' 3 ; 

and g^^^ 13 — > since — /? < 0. The second assertion is obvious. □ 
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4 Computing the group structure 

This section is concerned with the relation collection phase of the discrete loga- 
rithm algorithm; an immediate application is the computation of the cardinality 
and the group structure of the Jacobian of the curve. Relation collection is virtu- 
ally identical to the process described for hyperelliptic curves in [1]; the running 
time of £(1/3, 0(1)) is obtained by applying it to a particular class of curves 
that are of relatively low degree with respect to their genus and for which the 
degrees in X and Y of a plane model are balanced in a certain way. 

We consider absolutely irreducible curves over finite fields ¥ q of characteristic 
p of the form 

C : Y n +F(X, Y) 

with F(X,Y) E ¥ q [X] of degree d in X and at most n — 1 in Y. The function 
field extension ¥ q (C) = ¥ q (X)[Y]/(Y n + F(X,Y)) over ¥ q (X) is supposed to be 
separable (which is for instance the case if p\ n). 

Most importantly, the degrees n and d are related to the genus g by 

n < n g 1/3 M- 1/3 and d < d g 2/3 M 1/3 

where M. — log ^° s< ^ and n , do are some positive constants. 

For instance, C may be a C a b curve of degree n <~ g 1 / 3 M~ 1 t 3 in Y and 
d ~ 2g 2 / 3 M 1 / 3 in X. 

For the running time analysis, we will want to apply Propositions 4 and 5 
with a = 2/3 and j3 — 1/3; so we have to assume that the curves belong to a 
family satisfying g > (\ogq) s for some 5 > 2. 



Algorithm 6 (Group structure). 

Input: a curve C as above 

Output: h = \ Jc(¥ q )\ and divisors Di, . . 

J C (¥ q ) = (Di) X ••• X (D r ) 



. , D r with their orders hi,...,h r s.t. 



1. Compute an approximation of h within a factor of 2, that is, h- and h + s.t. 

h— < h < h + and h + < 2h—. 

2. Fix a smoothness bound B = [log £(1/3, pj\ (with a parameter p to be 
determined later) and compute the factor base T consisting of all affine prime 
divisors of C of degree at most B as well as all infinite prime divisors and 
prime divisors corresponding to singularities regardless of their degrees. Let 
t= \F\ and T = {P u . . .,P t }. 

3. Start with an empty matrix of relations R and repeat the following step until 
s > 2t relations are obtained (in practice, s slightly larger than t should 
suffice): 

Draw uniformly at random a function 

<p = b(X)Y - a(X) e¥ q (C) 
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with a, b <G ¥ q [X] of degree at most 

(with a parameter a to be determined later). If its divisor is T '-smooth, that 
is, 

t 

div</? = y^ejPj, 

i=l 

add a column (e 1; . . . , e t ) T to the matrix R. 
4- Compute the rank of R; if it is less than t, declare failure and stop. 
5. Compute the Smith normal form S = diag(ft, r , . . . , hi, 1, . . . , 1) of R, where 

1 7^ /ii|/i2| • • • \h r , and unimodular transformation matrices T e Z* x * and 

U e Z sxs s.t. TRU = (S|0). 

Let h = hi ■ ■ ■ h r . If h > h + , declare failure and stop. 
Otherwise return h, Di,...,D r s.t. 

(Di,...,D r ,0,...,0) = (Pi,...,P t )T- 1 

and hi, . . . , h r . 

That the algorithm is correct follows from standard arguments such as given 
in [1, 5, 6]. It remains to prove its failure probability and running time. We also 
have to show that there actually are subalgorithms to carry out the different 
steps; these are given together with the following running time analysis. 

1. An approximation h of h can be obtained by appropriately truncating the 
L-series of the curve as in [13, Section 6]. The necessary counting of the 
number of points on the curve over a small number of extension fields is 
shown in [13] to be polynomial in g and log g for curves of degree in 0(g). 
The bounds on h are then given by h- — h/y/2 and h + = \/2h. 

2. The affine prime divisors of degree up to B are obtained by enumerating all 
irreducible monic polynomials / e of degree up to B and factoring 
Y n + F(X,Y) over ¥ q [X]/(f)[Y]. Each factor of degree w yields a prime 
divisor of degree wdegf. Altogether, these factorisations can be carried out 
by 0(q B ) repetitions of a randomised algorithm with an expected running 
time that is polynomial in n, B and logg, and thus ultimately in glogq. 
Since polynomial terms are in L(l/3, o(l)), they can be neglected, and we 
retain only the term 0(g B ) for the remainder of the analysis. 

The number of singular places is bounded by 0((nd) 2 ) = 0(g 2 ) using the 
genus formula for a plane curve. They can be fully described in polynomial 
time, by computing the desingularisation trees of the singular points (see for 
instance [10]). 

The non-singular places at infinity are included in the intersection of the 
projective curve with the line Z = 0, which has at most 0(nd) = 0(g) 
elements by Bezout's theorem, and these are also computable in polynomial 
time. 
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So this step terminates with a factor base of size 

t = 0(nq B ) =L(l/3,p + o(l)) 
that is computed in time £(1/3, p + o(l)). 

To estimate the smoothness probability of d'rv ip under Heuristic 1, we need 
to compute the degree of its affine part. Denote the affine degree of a divisor 
by deg aff . Let ui, . . . , a n be the different embeddings of ¥ q (C) into its Galois 
closure (that exists because the function field extension is assumed to be 
separable). The Oi fixing ¥ q (X), they send affine to affine and infinite to 
infinite prime divisors. Hence, all the deg af£ (<p ai ) are the same and given by 

degaff <P = \ deg aS N ¥q(c)/¥q{x} (<p) = deg x N(y>). 

The norm of <p is computed as N(y>) = Resy {<p, Y n +F{X 1 Y)), and its degree 
in X is bounded from above by 

deg x f ' degy C + deg Y <p ■ dcg x C — nm + d. 

The divisor of ip is B-smooth if and only if its norm is; this test as well 
as the decomposition of a smooth div ip into prime divisors boils down to a 
factorisation of the norm in F g [X] and takes random polynomial time. 
Let r = (n a + d )/3. Applying Propositions 4 and 5 under Heuristic 1 with 
nm + d < 3rg 2 / 3 M 1 / 3 in the place of v and B = \pg 1/3 M 2/3 ] in the place 
of n shows that a relation is obtained on average in time L (l/S, j + o(l)^ , 
so that this step takes overall 

1/3, T -+p + o{l) 

4. and 5. Since all entries of the matrix are of bit size polynomial in g\ogq, its 
rank and Smith normal form can be computed in quartic time according to 
[16, Proposition 8.10], that is in 

L(l/3,4p + o(l)). 
The total running time of the algorithm thus becomes 

L ^1/3, max ^ + p, Ap^j + o(l) 

with t = (nocr + do)/3. 

For any fixed a (and thus r), the value of p that minimises the running time 

is p = \/t/3 and we get a complexity of L ^1/3, + o(lfj . 

Now t is not a completely free parameter; it is connected to the success 
probability of the algorithm. It is in fact not clear whether the algorithm has 
a non-zero success probability at all; as in [1], it is already unknown whether 
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the principal divisors of the special form considered in Step 3. generate the full 
relation lattice. The analysis of the proven subexponential algorithm in [5] , for 
instance, exploits the fact that the created relations are essentially uniformly 
distributed among all possible relations in a hypercube of side length about 
| Jc (F g ) | . Since all our relations are sparse, this line of argumentation definitely 
cannot be applied; as in [1], the non-negligible success probability of the algo- 
rithm can only be conjectured (and notice also that it does not follow from a 
smoothness assumption such as Heuristic 1). 

A necessary condition for the success of the algorithm is nonetheless that the 
number of potential functions <p tested for smoothness in Step 3. must be at least 
as large as the number of tests, since otherwise the matrix is filled with redundant 
multiple relations. Thus we need q 2m > L (l/3, or, taking logarithms, 



2cr > —j=\fr = T } \/ n Q°~ + do, 
v3 3 

which holds asymptotically for a — > oo. Precisely, the optimal value of a is the 
positive solution of the quadratic equation a 2 — f n er — f c£q = 0. 



5 Computing discrete logarithms 

In order to smooth the basis of the discrete logarithm and the element whose 
logarithm is sought, we are going to perform a special-Q descent with a slightly 
larger subexponentiality parameter 1/3 + e. Let us first describe an algorithm 
that does one step of the special-Q descent and that will be used as a building 
block by the final algorithm. 

Heuristic Result 7. Let Q be an affine prime divisor of the curve C of the 
form div(u(X), Y — v(X)), with deg u(X) < \og q L(l/3 + t, c) for some constants 
c > and e < t < 1/3 — e. There is an algorithm that finds a divisor R 
equivalent to Q such that all prime divisors of R are either in T or have a 
degree bounded by \og q £(1/3 + t — e, c'), and such that all these prime divisors 
are of the form div(ui(X),Y — Vi(Xj). The heuristic expected running time is 
bounded by 1,(1/3 + e, ^(1/3 + e + o(l))). 

Justification. Let us consider the set Cq of functions of the form a(X) + b(X)Y 
whose divisors contain Q in their support. In other words, this is the ¥ q [X]-lattice 

Cq = {a{X) + b(X)Y : u{X)\a(X) + v(X)b(X)}. 

A basis of this lattice is given by the two vectors b\ = u(X) and 62 = — v(X) + Y. 
Hence, 

C Q = {A(X)6i+MX)6 2 : \^e¥ q [X]}. 

When A and fj, are taken of degree at most 6 = log q £(1/3 + t, c), the function 
(p corresponding to X(X)bi + n(X)b2 has the form a(X) + b(X)Y with a and b 
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of degree A < 2 log 9 £(1/3 + t,c). The degree of the norm of ip is then An + d, 
which is dominated by log ? £(2/3 + t, cn ). 

We rely now on Heuristic 1 that says that the zero divisor of the function has 
the same smoothness properties as a random effective divisor of the same degree, 
and apply Proposition 4. Therefore the expected number of functions one has to 
try before having found one whose divisor is log ? £(1/3 + t — e, c')-smooth is 



l(i/3 + £ ,^(1/3 + £ + o(1))). 



c 

The fact that the prime divisors that we obtain are of the same form as Q 
comes from the shape of the function we have chosen. 

It remains to check that the number of functions we can test in the lattice is 
large enough compared to this expected number of tests. With our choice of 5, 
the size of the sieving space is £(1/3 + i, 2c), which is larger than any £(1/3 + e) 
since t is greater than e. □ 

This result suffices to carry out a full descent if one can initialise the process 
and finish it once smoothness is reached up to a t < e. The next two heuristic 
results explain these steps. 

Heuristic Result 8. Assume that p > (| + e)^. Let Q be an affine prime 
divisor of C of the form div(u(X),Y — v(X)), with degu(X) < log g £(l/3 + 
t, c), for some constants c > and < t < e. There is an algorithm that 
finds a divisor R equivalent to Q such that all prime divisors of R are in T 
(defined with this value of p), and such that all these prime divisors are of the 
form div(ui(X),Y — Vi(Xj). The heuristic expected running time is bounded by 

L(l/3 + t, (l/3 + t)^+o(l)). 

Justification. Let us consider the same lattice Cq as in the proof of Proposition 7. 
Assume that A and \i are taken of degree at most S = \og q £(1/3 + t, c), then, 
as before, the norm of the corresponding functions are of degree bounded by 
log 9 £(2/3 + t, cno). Using again Heuristic 1, one gets by Proposition 4 that a 
log ? £(1/3, p)-smooth divisor can be obtained in heuristic expected time 

L ^1/3 + 4,(1/3 + *)^ +o(l) 

One has to check that we have enough possibilities for A and /i to cover this 
search. The sieving space is q 2S = £(1/3 + t, 2c). Therefore it is large enough if 
2c > (1/3 + i)2™a, that is if p > (1/3 + i)?f. Since s > t, this is guaranteed by 
our hypothesis on p. □ 

Heuristic Result 9. Let D be a degree divisor and ^ p epP its decomposition 
into prime divisors such that J2p\ m p\ e 0(g). Then there is an algorithm that 
finds a divisor R equivalent to D such that all prime divisors of R are of the 
form div(ui(X), Y — Vi(X)) with degUi(X) < log q L(2/3 — e,c). The heuristic 
expected running time is bounded by £(1/3 + e, (1/3 + e)\ + o(l)). 
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Justification. In order to smooth D, we apply the classical Hafner-McCurley 
strategy: a random linear combination of elements of the factor base is added to 
D, and the obtained divisor is tested for smoothness. Each test takes polynomial 
time since the effective group law in the Jacobian reduces to computing Ricmann- 
Roch spaces as in [12]. 

Following Heuristic 2, the additional restriction on the form of the prime 
divisors has no influence on the running time, and the desired result follows 
from Proposition 4. □ 

Armed with these heuristic partial smoothing results, we can now derive a 
full special-Q descent algorithm. Let us fix a constant e > 0, a parameter of 
the algorithm. This e is to be thought of as small (and of course e < 1/6). The 
algorithm assumes that Algorithm 6 has been run as a precomputation, with a 
value of p that is larger than a bound given below. Similarly, the constants Co 
and ck are made explicit below. 

Algorithm 10 (Discrete logarithm). 

1. Use Heuristic Result 9 to build a list L of prime divisors of degree at most 
\og q L(2/3 — e, cq), such that if we know their discrete logarithms, the discrete 
logarithm of D is implied. 

2. While there is a Q in L of degree more than \og q L(l/3+e, Ck), use Heuristic 
Result 7 to replace Q in L by a list of prime divisors of degree bounded by a 
subexponential function with parameter reduced by e. 

3. For each Q in L that is not in T , use Heuristic Result 8 to decompose Q 
in T . 

In order to analyse the algorithm, let us model it by a tree: the root is the 
divisor D, its sons are the prime divisors coming from its decomposition using 
Heuristic Result 9, then each internal node corresponds to a prime divisor and 
its sons are the prime divisors obtained using Heuristic Result 7 or Heuristic 
Result 8. The depth of the tree is bounded by l/(3e) since at each intermedi- 
ate step the subexponential parameter is reduced by at least e and one has to 
cover a range of 1/3. The number of sons of each node is bounded by g. Hence 
the total number of nodes is bounded by g 1 /^. Since e is a fixed constant, 
this is a polynomial in glogq and therefore contributes only for a o(l) in the 
subexponential complexity. 

Let us allow a computation time of £(1/3 + e, v + o(l)), for fixed positive 
constants e and v. Then the first step that uses Heuristic Result 9 can decompose 
D in prime divisors of degree at most \og q L(2/3— e, Co) in time L(l/3+e, u+o{l)) 
for Co = (1/3 + e)jv. Going one step down the tree, one can decompose these 
primes using Heuristic Result 7 in primes of degrees at most log^ L(2/3 — 2e, c\) 
in the same time, for ci = cono(l/3 +e)/v. Going from level k to level k + 1 in 
the tree will decompose in primes of degree at most log 9 L(2/3 — (k + 2)e, Ck+i) 
in the same time, for Ck+i — Cfcfio(l/3 + s)jv. Finally, each last step will be 
feasible in the same running time if p > ck no (1/3 + e)/u, where K is the depth 
of the tree. 
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This value of p is feasible and does not affect the overall complexity. It only 
changes the exponent in the L(l/3) runtime of the group structure algorithm, 
whose complexity remains negligible compared to the £(1/3 + e) of the present 
algorithm. Therefore, a suitable choice of p, Co and ck in Algorithm 10 results 
in a running time of L{l/2> + e, v + o(l)) for any given e and v. 

Choosing e/2 in the place of e (and an arbitrary v) shows that even a com- 
plexity of £(1/3 + e, o(l)) is achievable. 

Remark. In the analysis, we have remained silent about the exact nature of the 
o(l) terms. As long as a fixed number of them is involved, this does not pose 
any problem. But at first sight, since Heuristic Result 7 is used a non-constant 
number of times, one apparently needs to make the o(l) terms explicit to check 
that they do not sum up to something that is not tending to zero. However, 
although the number of nodes in the tree of Algorithm 10 is in g 1 ^ 3,e \ the o(l) 
term is the same for any given level in the tree, so that actually only the depth 
of the tree is important for these o(l)-terms considerations. The depth of the 
tree is in l/(3e), which is a constant, so that we actually consider a constant 
number of o(l) terms and need not make them explicit. 

6 Extensions to wider families of curves 

6.1 Highly singular curves 

Consider the case where the curve has an equation of the appropriate form, 
but with a genus that is much smaller than nd. Then letting g' = nd, one may 
apply the exact same algorithms yielding an L(l/3 + e) complexity. However, the 
subexponcntial function is now taken with respect to q 9 . This may still result 
in a subexponential complexity in q 9 , depending on the relation between q, g 
and g'. 

6.2 Different balancing between n and d 

Here we consider the case where n w g a and d ~ g 1 ~ a for a £ [g>|]- We 
shall just give an informal description of an algorithm that yields an L(l/3) 
complexity for the group structure. Note that to obtain the claimed complexity 
without e, the bounds on n and d should resemble the ones we have in Section 4. 
For instance, bounds of the form n < nog a M~ a and d < dog 1 ~ a M a would 
suffice. For the sake of better readability, we content ourselves with approximate 
bounds. 

Let us restrict to C a b curves for simplicity, and let us call the unique 
place at infinity. We proceed as in Algorithm 6, but the functions we consider 
are of the more general form: 

ip = a (X) + ai(X)Y + ■■■ + a k {X)Y k , 

where the a%{X) have a degree bounded by g@ and k is taken of the form g 7 , 
for some (3 and 7 to be determined. Then the divisor of ip is of the form E — 
(degE)P 00} with E effective of degree bounded by + g l3+a - 
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Fix a smoothness bound of g /3+7 ; with the usual heuristic, one can find E 
that is smooth in time about g max ( a ~"'^ 1 ^ a )~f ! \ The consistency check that the 
sieving space must be larger than the factor base yields the condition 

(3 + 7 > max(a — 7, (1 — a) — (3), 

which gives (3 + 2-f > a and 7 + 2/3 > 1 — a. This in turn imposes that (3 + 7 > 
1/3. Therefore, in this setting we can not hope to get something better than 
an £(1/3) complexity. We now show that this complexity is achievable: taking 
(3 = 2/3 — a and 7 = a — 1/3, all the conditions are verified, and the complexity 
is as announced. 

fn the particular case of a — 1/3, we recover (3 = 1/3 and 7 = 0, which 
corresponds to Algorithm 6. In the other extremal case a = 1/2, we get (3 = 7 = 
1/6. 

If a gets smaller than 1/3, then the L(l/3) complexity is not achievable with 
this algorithm. In fact, for each value of a e [0, 1/3], there is an L(x) complexity 
with x E [1/3, 1/2], and finally, for hyperelliptic curves one essentially recovers 
Adleman-Demarrais-Huang's L(l/2) algorithm. 

All of this concerns only the group structure. For the special-Q descent how- 
ever, things get more complicated and the £(1/3 + e) complexity is lost when 
a is bigger than 1/3. More precisely, the same kind of computations as above 
yields a complexity of L(a + e) for a £ [1/3, 1/2]. 
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